A lightweight attribute-based signcryption scheme based on cloud-fog assisted in smart healthcare

In the environment of big data of the Internet of Things, smart healthcare is developed in combination with cloud computing. However, with the generation of massive data in smart healthcare systems and the need for real-time data processing, traditional cloud computing is no longer suitable for resources-constrained devices in the Internet of Things. In order to address this issue, we combine the advantages of fog computing and propose a cloud-fog assisted attribute-based signcryption for smart healthcare. In the constructed “cloud-fog-terminal” three-layer model, before the patient (data owner)signcryption, it first offloads some heavy computation burden to fog nodes and the doctor (data user) also outsources some complicated operations to fog nodes before unsigncryption by providing a blinded private key, which greatly reduces the calculation overhead of resource-constrained devices of patient and doctor, improves the calculation efficiency. Thus it implements a lightweight signcryption algorithm. Security analysis confirms that the proposed scheme achieves indistinguishability under chosen ciphertext attack and existential unforgeability under chosen message attack if the computational bilinear Diffie-Hellman problem and the decisional bilinear Diffie-Hellman problem holds. Furthermore, performance analysis demonstrates that our new scheme has less computational overhead for both doctors and patients, so it offers higher computational efficiency and is well-suited for application scenarios of smart healthcare.


Introduction
Smart healthcare has emerged from the rapid advancement of the Internet of Things (IoT) [1].By leveraging advanced techniques such as big data, artificial intelligence, cloud computing and IoT, smart healthcare has facilitated the automation, informatization, and intelligence of medical services [2], it achieves the intelligence of healthcare capabilities, improves healthcare efficiency, and optimises patient experience services.Traditional paper-based Personal Health Records (PHR) have been replaced by electronic PHR [3], resulting in a massive influx of data and increased demands for device mobility and real-time processing.These challenges have posed significant limitations to traditional cloud computing.
Owing to the above problems, fog computing has been introduced [4].Fog computing provides a solution that is better suited to mobile IoT and a wide range of mobile applications by extending cloud computing to the network edge, closer to the end-user.With the exponential growth of IoT devices, cloud computing has faced the challenge of processing hundreds of millions of massive data.Fog computing, with its powerful computing capabilities, offers low latency and support for end user mobility, enabling the processing of data with low computing requirements.As a result, certain computing tasks is delegated to fog nodes by nearby endusers, reducing the computational burden for users, significantly improving the efficiency, and satisfies the requirements for real-time processing of mobile applications [5].
In the context of the smart health system, fog computing is positioned closer to the enduser, handling a significant amount of sensitive patient data that ultimately gets uploaded to the medical cloud for storage.Given the semi-trusted nature of the medical cloud, data processing is necessary prior to uploading to safeguard the integrity and privacy of the patient.To address this, the attribute-based cryptosystem offers enhanced privacy and security for patient data.It enables one-to-many access control with fine-grained, distinguishing itself from the traditional identity-based cryptosystem.The attribute-based cryptosystem was originated by the fuzzy identity-based cryptosystem proposed by Sahai et al. [6], which introduces the concept of attributes into the cryptosystem.This idea has found widespread application in smart health scenarios.Li et al. [7] presented an online/offline attribute-based encryption algorithm, offloading a portion of the decryption computation to ensure computational efficiency of IoT terminal devices.Similarly, Zhang et al. [8] provided a lightweight attribute-based encryption algorithm based on the smart health system, leveraging the concept of outsourcing.While traditional attribute-based cryptographic technology achieves fine-grained access control, it incurs a relatively high computational overhead.To mitigate this, Zhong et al. [9] introduced an edge-assisted attribute-based encryption algorithm that offloads part of encryption operations as well as decryption operations to edge nodes, reducing the computational burden on resource-constrained IoT devices.Drawing parallels to edge computing, fog computing also extends computational capabilities and data analysis functions to the network edge, forming a three-layer model known as "cloud-fog-devices".This model effectively addresses the latency issue associated with cloud computing.Several studies [10][11][12][13][14] have explored the application of fog computing to attribute-based encryption algorithms, outsourcing a majority of the decryption operations to fog nodes, thereby significantly easing the computational load on end users.In addition, in order to ensure the integrity of the data or the legitimacy of the identity of the receiver, the message to be encrypted is usually signed and the identity is authenticated by data owner [15][16][17].
The traditional idea of "encrypt first and then sign" has high computational overhead and communication cost.In view of this problem, the concept and scheme of signcryption are proposed for the first time in [18], which guarantees the confidentiality and unforgerability of messages.Attribute-based signcryption has been extensively researched in recent years by various scholars [19][20][21][22], enhancing the suitability and computational efficiency of attribute-based signcryption algorithms in real-world cloud storage environments.In the context of accessing Personal Health Records (PHR), references [23,24] propose two efficient attribute-based signcryption for multi-authority.Similarly, Liu et al. [25] present an attribute-based signcryption algorithm based on PHR, facilitating fine-grained data access control.For resource-constrained terminal devices in the IoT [26,27], adopt a strategy of outsourcing the decryption process to edge servers, effectively reducing user-end computing overhead.Additionally [26], supports the update of access policies.

Motivation and contributions
Combine the advantages of cloud-fog assistance, we present a lightweight attribute-based signcryption scheme for smart healthcare.Our approach leverages the three-layer model structure known as "cloud-fog-terminal" (illustrated in Fig 1) to establish a connection between the smart health system and the medical cloud.By employing fog computing as an intermediary bridge, we exploit its low latency, location-awareness, and powerful computing capabilities to ensure secure data transmission in terms of confidentiality.Additionally, some complicated operations in the signcryption and unsigncryption processes are offloaded to the nearby fog nodes, thereby reducing the computational overhead on data users, which proves particularly advantageous for resource-constrained terminal devices in smart healthcare.
In comparison to existing schemes, our work makes noteworthy contributions in the following: • Fog computing is structured as an intermediary link between the smart healthcare system and the medical cloud, making it easier for the fog nodes to collect and process data as they are spread around the data users.For the smart health system there are a huge number of IoT devices need to access the Internet through wireless, and have high requirements for mobility.Therefore, fog computing is more suitable for smart medical scenarios.
• In the scheme, the patient (data owner) delegates the computationally intensive tasks to the fog nodes during signcryption.Similarly, the doctor (data user) also offloads some heavy computing burden to the fog nodes by providing a blinded private key before performing unsigncryption.Specifically, in the signcryption and unsigncryption phase, the fog nodes are responsible for undertaking most of the complicated computations, such as the pairing operation.As a result, the client only needs to perform a simple multiplication operation in the process of user unsigncryption, which significantly reduces the computation burden for all client.
• The newly proposed scheme provides several advantages in terms of computational and communication overheads, as demonstrated through theoretical analysis and numerical simulation.The incorporation of fog computing significantly enhances the computational efficiency of data owner signcryption and data receiver unsigncryption in comparison to other schemes.This discrepancy becomes more pronounced as the number of attributes increases.Consequently, the proposed scheme is not only effective and practical, but also highly suitable for resource-constrained devices in the practical application of smart healthcare.

Organization
The subsequent sections are structured as follows.Section 2 presents various fundamental concepts such as the access tree and hardness assumption.Subsequently, Section 3 is an overview of the system model, algorithm formal definition, and the system security model.Following that, Section 4 presents the construction of the scheme in detail.Section 5 is dedicated to a detailed security analysis of our scheme, while Section 6 concentrates on analysing the efficiency of the system.Lastly, Section 7 proposes the conclusion of the article.

Access tree [7]
Let T be an access structure tree and x be a node in T .
(1).If x is a non-leaf node, then it stands for a threshold ("AND" or "OR") gate, which can be described by (k x , num x ), where num x is the number of child nodes of x and k x is its threshold value, 1 � k x � num x .When k x = 1, x is an "OR" gate; when k x = num x , it is an "AND" gate.
(2).If x is a leaf node, then it stands for a attribute and described by a threshold value k x = 1.
Denote the parent node of x in T as parent(x), and the attributes associated with the leaf node x in T as att(x).Each children of node x are numbered in a sequence from 1 to num x , the function index(x) denotes the index of x among its siblings.
Let T r be a access tree with root node r, T x be the subtree of T r rooted at x.If the attribute set S satisfies the subtree T x , we denote it as T x ðSÞ ¼ 1.Furthermore, T x ðSÞ can be calculated recursively by: if x is a non-leaf node, then T x ðSÞ ¼ 1 iff at least k x child nodes return 1 and if

Bilinear pairing map [28, 29]
Let G 0 and G 1 be two cyclic groups with the prime order p, and g is a generator of G 0 .Then the bilinear map e: G 0 × G 0 !G 1 can be defined as follows: Bilinearity: For all a; b 2 Z * p , e(g a , g b ) = e(g, g) ab .Non-degeneracy: e(g, g)6 ¼1.Computability: For all a, b 2 G 0 , there is an efficient algorithm to compute the map e(a, b).

Hardness assumption
DBDH assumption [22].Given an cyclic group G 0 with order p, a generator g of G 0 , a bilinear mapping e: G 0 × G 0 !G 1 and a; b; c 2 Z * p .The Decisional Bilinear Diffie-Hellman (CBDH) hardness assumption states that any Probabilistic Polynomial-Time (PPT) algorithm cannot decision e(g, g) abc 2 G 1 and a random Z 2 G 1 from a given triple ðA ¼ g 1 with a non-negligible probability.CBDH assumption [19].Given an cyclic group G 0 with order p, a generator g of G 0 , a bilinear mapping e: G 0 × G 0 !G 1 and a; b; c 2 Z * p .The Computational Bilinear Diffie-Hellman (CBDH) hardness assumption states that any PPT algorithm cannot compute e(g, g) abc 1 with a non-negligible probability.

System and security model
This section mainly includes an overview of the construction of system model, the formal definition of the proposed scheme and the elaboration of the system security model.

System model
Based on fog computing, we construct the lightweight attribute-based signcryption scheme in smart healthcare.As illustrated in Fig 2 , this system involves five entities, namely Private Key Generator (PKG), Medical Cloud (MC), Fog Nodes (FN), Data user (DU) and Data Owner (DO).
Private Key Generator: PKG initializes the system, then generates and distributes private keys to both the data owners (patients) and the data users (doctors).Medical Cloud: MC refers to the server of the hospital.As a semi-trusted third party due to its powerful storage capacity, MC is mainly responsible for storing a huge number of electronic health records in the form of ciphertext provided by DO.
Fog Nodes: As small medical centers deployed at the network edge, FN has enough storage space and computing power to help data users with local data processing.The data owner outsources some signcryption operations to the fog node, and the data user outsources some decryption operations to the fog node, so as to reduce the computational burden of the terminal devices.
Data Owner: DO refers to the patients.A enormous number of patients, as the source of data in the smart health system, have ownership and control over the data.The patient defines an access structure for the data that needs to be signcrypted, specifies the scope of authorized users, and their terminal devices signcrypt the data and store the final ciphertext to the medical cloud.
Data User: DU refers to doctors, medical researchers, or insurance company employees who need access to patient information.When DU accesses the data, it downloads the ciphertext from the medical cloud and performs the final unsigncryption.Only the users who satisfy the access policy can decrypt the ciphertext and access the data, which realizes the fine-grained access control.
Firstly, PKG initializes the system, then generates and distributes private keys to both the data owners (patients) and the data users (doctors).The health status and personal information of the patients are collected in real time by the wearable device.The collected data is signcrypted by the fog node, producing a part of the ciphertext.Subsequently, the patients perform the final signcryption and upload the final ciphertext to the medical cloud (hospital).When data users (such as doctors, medical researchers, insurance companies, etc.) request data, the ciphertext is retrieved from the medical cloud for preliminary unsigncryption.The fog node then assists the data users in performing partial operations, ultimately allowing the users to get the required data.

Formal definition
Now, we formalize the definition of the proposed schemes.This scheme is composed of the following six algorithms in PPT.
• KeyGen(pp, S, msk)!SK: PKG runs the key generation algorithm, taking as input public parameter pp, a attributes set S and master key msk, it generates and hands out private keys SK for DU.
• FN:SignðT ; SKÞ !CT 0 : After receiving the access structure T enacted by DO, FN takes this access policy as input and performs partial signcryption operations, and finally outputs part of the ciphertext CT 0 .
• DO:Signðm; T ; CT 0 Þ !CT: After FN performs part of the operation, DO executes this algorithm, it takes the message m, the enacted access structure T and the partial ciphertext CT 0 as the input of the algorithm, and finally generates the signature σ and the final ciphertext CT.
• FN:UnsignðCT; SK ; SÞ !ðB; T; FÞ: When FN receives the blinded private key SK of DU, it performs a partial unsigncryption operation, calculates some parameters (B, T, F) according to the recursive formula of the access tree, then sends the parameters to DU for final unsigncryption.
• DU.Unsign(CT, SK, S)!m: DU executes this algorithm, using ciphertext CT, private key SK and attribute set S as the input, if DU satisfies the access structure, it will get the plaintext m.

Security model
This section provides a formalization of the security of the scheme encompassing confidentiality and unforgeability, which are simulated as the following two games which are interactions between a challenger C and an adversary A within PPT.Game 1. Confidentiality Definition 1.The proposed attributed-based signcryption scheme is indistinguishable under chosen ciphertext attack (IND-CCA) against any adversary A possessing polynomial time capability, if the advantages of A in the following interaction are negligible: Initialization: Firstly, A generates a challenge attribute set denoted as S. To proceed, C executes the Setup to returns pp to A. Simultaneously, it retains msk secretly.
Query Phase 1: When A initiates a series of prophecy inquiry, C responds the inquiry as described below.
• Key extraction query: in the query, when A requests a private key SK with the attribute set S*, C executes KeyGen according to S* and returns the corresponding SK to A.
• Signcryption query: in the query, when A queries a ciphertext for any message m, C proceeds by selecting an attribute set S from T* firstly, it then runs the key extraction query and obtain SK, followed by executing the signcryption algorithm to encrypt and send the corresponding ciphertext CT to the adversary A.
• Unsigncryption query: For any attribute set S and the corresponding ciphertext CT queried by the adversary A, The first step performed by the challenger C is to execute the key extraction query and get SK, it then proceeds the unsigncryption algorithm to decrypts CT and returns the resulting output to A. Guess: If A can output a bit b 0 , and b 0 = b, then A wins the above game.The probablity advantage of A in the game can be defined as AdvðAÞ ¼ jpr½b 0 ¼ b� À 1 2 j.Game 2. Unforgeability Definition 2. The proposed attributed-based signcryption scheme is existential unforgeability under chosen message attack (EUF-CMA) against any adversary A possessing polynomial time capability, if the advantages of adversary A in the following interaction are negligible:

Challenge
Initialization: in this phase, A sends a attributes set S to C forge the ciphertext.To proceed, C executes the Setup to returns pp to A. Simultaneously, it retains msk secretly.
Query Phase: A initiates a prophecy inquiry, and C responds to the inquiry as described below.
• Key extraction query: in the query, A asks the user for the private key SK.After receiving attribute set S*, C runs the key generation algorithm and return the corresponding private key according to the attribute set S*.
• Signcryption query: if A wants to signcrypt message m*, C select an attribute set S, and S 2 T*, then executes the key extraction algorithm to obtain SK and runs the DO.Sign algorithms and FN.Sign algorithms to obtain and return the ciphertext CT* to A.
• Unsigncryption query: let CT be the ciphertext with respect to attribute set S queried by A, C first performs the key generation algorithm to obtain SK, then executes the DO.Unsign algorithms and FN.Unsign algorithms, and finally sends the result to A.
Forge: In the phase, A outputs the forged ciphertext CT of the message m*, and finally if A outputs Unsigncryption(CT, SK, S*) = m* 6 ¼ ?, then the game is won.The probablity advantage of A in winning the game can be defined as Adv Unforgeability A ¼ pr½A wins�:

The concrete scheme
As illustrated in Fig 3, The scheme is essentially made up of four phases, system initialization, private key generation, signcryption and unsigncryption, which are described in more detail below.
Phase 2: Private key generation PKG executes this algorithm, generates and issues private keys for DU.
• Randomly select r 1 2 Z * p , generate private key • For all attribute j 2 S, it selects random number r j 2 Z * p , and computes K j ¼ g r 1 � HðjÞ r j , K 0 j ¼ g r j .The private key SK ¼ ðK 1 ; K j ; K 0 j Þ is eventually distributed to the requested clients.

Phase 3: Signcryption
The signcryption algorithm includes two parts: data owner signcryption and fog node signcryption.Firstly, DO defines an access tree T and sends it to FN, it then run FN.Sign algorithm.
• FN signcryption.Fog nodes execute FN.Sign algorithm for outsource computing.
• Let x be a node in T , FN chooses a polynomial q x and sets the degree d x of q x as d x = k x − 1, where k x is the threshold value of x.Now, if x = r is the root node of T , then FN assigns a random number s 2 Z * p and sets q r (0) = s, if x 6 ¼ r, then FN sets q x (0) = q parent (x) (index(x)).
• Let Y be the leaf node set in T , for 8y 2 Y, FN calculates C = h s = g βs , C y = g q y (0), C 0 y ¼ HðattðyÞÞ q y ð0Þ , and sends part of the ciphertext CT 0 ¼ ðT ; C; C y ; C 0 y Þ to DO for the next signcryption.

Phase 4: Unsigncryption
The unsigncryption algorithm mainly includes two parts: data user unsigncryption and fog node unsigncryption.The data user selects the random number d 2 Z * p , then blinds the private key SK, computes � and finally sends the blinded pri- • FN unsigncryption.When DU downloads the ciphertext CT from the medical cloud, FN first runs the FN.Unsign algorithm, which is a recursive algorithm that takes node y 2 T , blinded private key � SK and ciphertext CT as input.
• If y is a non-leaf node, FN recursively calculates φ y 0 of node y's child node y 0 , let S y 0 be a set of any φ y -sized child node {y 0 }, if S y 0 = ;, then φ y 0 = Null; otherwise • If y = r is a root node, FN computes φ r = e(g, g) r 1 ds.
• Finally, FN calculates then sends (B, T, F) to DU for the next unsigncryption.
• DU unsigncryption.DU performs the final unsigncryption by receiving the parameters sent by FN.

Query phase 2:
For the second challenge initiated by adversary A, the reply process of B is similar to that of challenge phase 1.There is no unsigncryption challenge during this challenge phase.
Guess: Adversary A finally outputs a bit b 0 and if b 0 = b, then we claim that A wins the game.If Z = e(g, g) abc , then CT* is valid with an advantage of ε.So and the probability advantage of A is ε 2 .Theorem 2. The proposed attribute-based signcryption scheme satisfies EUF-CMA security based the CBDH hardness assumption.
Proof.Suppose there is an adversary A that can win game 2 with a non-negligible advantage ε in the probability polynomial time t, then an algorithm B can be constructed with the help of adversary A. Challenger C is given (A = g a , B = g b , C = g c ), a; b; c 2 Z * p as an instance in the CBDH problem, and adversary A tries to guess e(g, g) abc .Let θ = αs and y 2 Z * p .Initialization: Adversary A sends target attribute set S* to B, B chooses a; b 2 Z * p randomly.If β = 0, then the system Setup algorithm terminates, otherwise B run the system Setup algorithm to obtain public parameters pp.Then B sends h = g β and e(g, g) α to A. When A asks for the value of H, B randomly chooses t j 2 Z * p , and answers g t j .Query Phase: Adversary A initiates queries in each of the following phases.
• Key extraction query: if A requests private key SK based on attribute set S* multiple times, B . For attribute j 2 S, select r j 2 Z * p at random and compute K j ¼ g r 1 � HðjÞ r j and K 0 j ¼ g r j .So the private key is: SK ¼ ðK 1 ; 8j 2 S : K j ; K 0 j Þ, and then B returns SK to adversary A. When A sends the i-th key extraction to ask for the attribute set S i , B selects r ðiÞ 2 Z * p randomly, computs K 1 ¼ g aþr ðiÞ b , and for 8j 2 S i , computs , and sends ðK 1 ; K j ; K 0 j Þ to A.
• Signcryption query: B sets access control policy T * for authorized attribute set S*.If the challenged attribute set S* does not satisfy access control policy T * , then B can obtain the private key through the key generation algorithm.Then run the signcryption algorithm to send ciphertext CT to A. Assuming that attribute set S* satisfies access control policy T * , B selects b 2 Z * p randomly, and then use b to recover secret s or attribute j.B randomly selects y 2 Z * p , run the signcryption algorithm, and calculate C * ¼ m * � eðg; gÞ • Unsigncryption query: Adversary A initiates a unsigncryption query for ciphertext CT based on attribute set S*. B run the key generation algorithm to obtain private key SK, perform the unsigncryption algorithm, and send result m or ? to A.

Performance comparison
This section analyzes the advantages and disadvantages of our new scheme in relation to communication and computational capabilities.Compared with some existing attribute-based signcryption schemes [22][23][24][25]27], the capabilities of our new scheme is improved significantly.For convenience, the symbols used in this section are first summarised in Table 1.

Communication overhead
The viability of a scheme, particularly for resource-constrained IoT devices, heavily relies on communication overhead.The comparison between our new scheme and the schemes of [22][23][24][25]27] regarding communication overhead is presented in Table 2.The communication overhead of various stages, namely system initialization, key generation, signcryption, and unsigncryption, is primarily taken into consideration.When it comes to the key generation stage, the communication overhead of each scheme varies based on the number of attributes.However, our scheme stands out with the smallest overhead.By employing outsourcing techniques, the communication overhead of data users in the signcryption phase becomes independent of the number of attributes.This reduction in storage burden on the local side is of utmost importance for resource-constrained IoT devices.

Computational overhead
For the computational overhead, we will compare it from the aspects of theoretical analysis and numerical experiments.Theoretical analysis.We primarily consider the computational burden of various stages, including system initialization, key generation, signcryption and unsigncryption.To provide a clear comparison, Table 3 provides a comparison of the computational cost between our proposed scheme and the schemes referenced in [22][23][24][25]27].This comparison is based on the fact that addition and multiplication operations are significantly less computationally expensive than exponentiation, bilinear pairing, and hash operations.Thus, our main point of comparison revolves around the number of exponential operations, bilinear pairing operations, and hash operations across different schemes.
Table 3 reveals that the computational cost of the proposed scheme remains constant during the system initialization, DO signcryption and DU unsigncryption phases, regardless of the number of attributes.However, in [22], the key generation stage involves pairing operations, resulting in higher computational costs compared to other schemes.Furthermore, the schemes in [22][23][24][25] do not utilize outsourcing computing, which means that the computational cost for users varies depending on the complexity of the access policy.On the other hand, our approach ensures a stable computational overhead for data user signcryption, with most calculations outsourced to fog nodes during the signcryption phase.This includes the high-overhead pairing operation, allowing end users to decrypt messages without engaging in pairing operations.By employing outsourcing technology, the computation burden for data owners and users is minimized, further emphasizing the lightweight nature of this scheme.Numerical simulation.The numerical simulation comparison was conducted on a Linux operating system, utilizing a pairing-based cryptography library with Type-A bilinear pairing parameters [30].The programming was implemented in C language and executed on a PC with a 2.60 GHz CPU and 8 GB RAM.Our focus was primarily on observing the time variations during the system initialization stage, key generation stage, signcryption stage, and unsigncryption stage.We performed tests by altering the number of attributes, simulating attribute values from 20 to 140.
Fig 4 illustrates the initialization stage, where the setup algorithm is independent of attributes and follows a nearly straight line.However, the initialization stages except for [23,27] and our scheme are attribute-dependent, resulting in an increase in setup time as the number Hong [22] (1 of attributes changes.In the key generation phase (Fig 5), both the proposed scheme and the comparison scheme experience an increase in time as the number of attributes increases, but the proposed scheme performs the fastest.From Figs 6 and 7, it is evident that the running time of our new scheme in the DO signcryption and DU unsigncryption stages are optimal and attribute-independent, and thus their efficiency in terminal devices are the highest.This is due to we offload some heavy computation from the original client to the fog node, which means the scheme effectively reduces the computation of the resource-constrained devices, and improves the overall efficiency of the scheme, making it more suitable for smart healthcare scenarios.In the signcryption and unsigncryption stages, [24] demonstrates higher efficiency, but this is based on the assumption of a single attribute authority, whereas the actual scheme involves multiple attribute authorities.Therefore, if multiple attribute authorities are present, the efficiency of [24] will decrease.Through comprehensive analysis, we claim that the proposed scheme significantly enhances algorithm efficiency by partially outsourcing signcryption and unsigncryption operations to the fog node, aligning it more suitable for real-world application environments.

Conclusion
Aiming at the generation of massive data in smart health system and the attention of patients to privacy of personal health information.We proposes a lightweight attribute-based signcryption scheme based on cloud-fog assist.In smart healthcare system, we should not only consider the basic security requirements of medical data sharing, patient privacy and confidentiality, but also consider the computing and storage capabilities of resource-constrained devices in the IoT.Therefore, fog nodes are introduced in this paper, and a three-layer model structure of "cloud-fog-terminal" is constructed, and part of the operations in the signcryption stage and the unsigncryption stage are outsourced to the fog nodes, so that the end user's calculation cost in the signcryption stage is reduced.None pairing operation is involved, which significantly improves the computational efficiency of the scheme.Finally, under the random oracle model, the feasibility and security of the scheme are proved.Compared with the previous attribute-based signcryption scheme, our proposed scheme has better advantages in computing efficiency and is more suitable for practical smart medical application scenarios.As future work, we plan to conduct a series of simulated real-world experiences to evaluate the performance and practicality of our signcryption scheme, and design efficient a post-quantum based attribute-based signcryption scheme applicable to smart healthcare.

:
In this phase, A selects two different messages m 0 6 ¼ m 1 with equal length as the challenge message, and presents them to C to request the corresponding ciphertext.And C randomly chooses a bit b 2 {0, 1}, runs the DO.Sign algorithms and FN.Sign algorithms to gnerate and return the challenge ciphertext CT* of m * b to A. Query Phase 2: A can continue issue a similar inquiry as in Query Phase 1.Any adversary can initiate a signcryption challenge on any ciphertext apart from the challenged one.

aþr 1 b
�p .Eventually, it sends the ciphertext CT ¼ ðT ; C; C y ; C 0 y ; C * ; W; p; CÞ to the medical cloud for storage.

Forgery:
After A outputs a valid forged ciphertext CT * ¼ ðT * ; C * ; C j ; C 0 j ; p * ; C * Þ.The challenger C solves the CBDH assumption as follows.Since CT* is a valid ciphertext for m*, which means it can pass the verification equation, then there are C j = g ab , π = H(σ|m), C ¼ g c � D p 1 , σ = e(C, g) c .Adversary A outputs a fake verification s * ¼ eðC;CÞ B 0 p and S * 2 T * using attribute set S*.If S* 6 ¼ 0, then B terminates the algorithm, verifying that equation σ* holds.If the algorithm Unsigncrypt(CT, SK, S) = m* 6 ¼ ?then A wins the game.The advantages of solving the CBDH problem are: Adv CBDH B ¼ pr½Bðg a ; g b ; g c Þ ¼ eðg; gÞ abc � ¼ pr½A wins the Unforgeability game� ¼ Adv Unforgeability A > ε:
gÞ • If the access structure satisfies the attribute set, let B ¼ FN:UnsignðCT; SK; rÞ ¼ eðg; gÞ r ðiÞ �q y ð0Þ�d ¼ eðg; gÞ r 1 �s�d .Then calculate C * = B 0 =φ 0 R ¼ m � eðg; gÞ In this phase, A selects two different messages m 0 6 ¼ m 1 with equal length, B randomly chooses b 2 {0, 1}, and signcrypts message m * b based on challenge attribute set S*.The process for generating challenge ciphertext CT* is the following: first, B randomly chooses s 2 Z * p , and uses f j to recover the secret s or attribute j; calculates C * ¼ m * b � Z, C j = g ab , and C 0 j ¼ g t j f j ; randomly selects B 2 Z * p , and calculates s * ¼ eðC; gÞ s�a ¼ m: • Finally verify the correctness of the signature by the equation: bsm ¼ s: Challenge: B , p * ¼ Hðs * jm * b Þ, and